How one law student is making Facebook get serious about privacy

The world’s largest legal battle against Facebook began with a class assignment. Student Max Schrems still hasn’t turned in his university paper on the topic, due well over a year ago, but he has already accomplished something bigger: forcing Facebook to alter its approach to user privacy. Now, Schrems wants cash—hundreds of thousands of euros—to launch the next phase of his campaign, a multi-year legal battle that might significantly redefine how Facebook controls the personal data on over one billion people worldwide.

"If we get €300,000 ($384,000), we can shoot from all cannons," the 25-year-old told Ars from his parents’ home in Salzburg, Austria.

What began as an academic assignment in spring 2011 quickly morphed into an advocacy organization called "Europe vs. Facebook." Over the last year, Schrems has encouraged tens of thousands of Facebook users worldwide to request copies of whatever data Facebook holds on each of them, as he has done. Under European Union law, Facebook is required to comply with these requests within 40 days, since its international (e.g., non-American) headquarters are in Ireland (largely for tax reasons). This means that all Facebook users outside the United States and Canada (which have their own, less-stringent privacy rules) are effectively governed by Irish and EU data protection authorities.

"I’m certain that we have really turned the screws heavy on them."

As a way to compel Facebook Ireland to comply with existing EU law, Schrems filed 22 formal complaints with the Irish Office of the Data Protection Commissioner (ODPC) on August 18, 2011. Those complaints included charges that Facebook Ireland violated EU law by keeping records of "pokes" even after a user has deleted them, collecting data on non-Facebook users as a way to create "shadow profiles," performing automatic tagging, gathering personal data via "Friend Find," retaining records of deleted posts, retaining copies of deleted chat messages, retaining copies of deleted friends, and many others.

Schrems argues that Irish data protection authorities aren’t properly enforcing the law when it comes to Facebook, and he hopes that a judicial review will vindicate his position. If necessary, he plans to take his case all the way to the European Court of Justice in Luxembourg.

Enlarge/ Max Schrems, 25, is leading a group called Europe vs. Facebook to force the social network to comply with EU data protection law.

In the meantime, Irish authorities have begun asking for changes, and Facebook has altered some of its policies. Just this month, Ars reported that Facebook changed the way it presents privacy information to new users, largely at the suggestion of the ODPC. Back in September, Facebook said it would disable facial recognition for European users, also under pressure from Irish authorities.

And those authorities say that they are now sticking it to Facebook on questions of privacy. "There have been points where we’ve had serious disagreements," Gary Davis, the ODPC’s deputy data protection commissioner, told Ars. "We’ve threatened serious enforcement action. But my sense is that Facebook is a company that gets it. What they get is that non-compliance with EU law is not good for their business."

"When we’ve come to that point where we’ve leaned across the table and said you need to do this, they’ve gone away and have done it," he added. "I’m certain that we have really turned the screws heavy on them."

As for Facebook, the company says that it takes discussions with critics seriously and that it is in "direct contact" with Schrems and Europe vs. Facebook. "Over the past year we have been working on an ongoing, continuous basis with our regulator in Europe, the Irish ODPC," said Tina Kulow, a Facebook spokesperson, in an e-mail to Ars. "The latest ODPC’s report demonstrates again how Facebook adheres to European data protection principles and is going beyond with commitment for best practices in data protection compliance."

Working separately, an Austrian law student and an under-staffed Irish data protection watchdog have helped bring worldwide improvements to Facebook's privacy policies. Here's how they did it.

Right of access

This battle began nearly 18 months ago in California. Schrems, a spiky-haired, feisty Austrian from the University of Vienna, was spending the semester as a visiting law student at Santa Clara University (SCU) in the heart of Silicon Valley. As part of a privacy seminar taught by Dorothy Glancy, one of America’s top privacy scholars, Schrems learned that one of the major principles of European privacy law was called the "right of access."

Member States shall guarantee every data subject the right to obtain from the controller:

(a) without constraint at reasonable intervals and without excessive delay or expense:

- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,

- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,

- knowledge of the logic involved in any automatic processing of data

While in Glancy’s 25-person privacy seminar, Schrems had the opportunity to learn about privacy and data protection while also meeting with experts from various tech companies, including Facebook. When a company official came to speak with the class (neither Glancy nor Schrems will say who it was), it quickly became clear to Schrems that the man didn’t have a full grasp of this basic European privacy principle.

"He said that [Facebook sticks] to EU privacy law," Schrems said. "And I asked him about consent, and he said ‘We interpret consent in a way that as long as they don’t say no [then it’s OK].’ I had the feeling that he had never been to Europe and didn’t understand the cultural difference."

At an interview in San Francisco, Glancy gushed with praise for Schrems. "He is 10 times smarter than anybody that has done these kinds of practical projects," she told Ars. "He’s just very, very smart, in the cunning sense of smart. He also didn’t start asking questions until he knew he was right."

After the Facebook experience, Schrems decided to examine Facebook’s compliance with European Union data protection law as part of an academic paper. "I didn’t turn it in, but don’t tell anybody!" he joked.

As part of his project, Schrems decided not to rely on unsubstantiated rumor or speculation as to precisely what information Facebook holds on individuals. Instead, he would get a copy of all the data that Facebook had on him.

Wonder how many more requests Facebook will be getting for the full range of data now that this has been published. Maybe worth a follow up where an Ars reporter puts in a request for the same data Shrems got?

"I love social networking," he [Schrems] told me. "I’m just not sure that Facebook should be the one running it."

Perfectly stated.

There is an inevitable conflict of interest between the desire of a corporation to make more money, and the rest of society not to be abused by those corporations regarding breaking the law and so forth. The pendulum swings back and forth -- right now I'd argue that in the US it's a little heavy on corporations getting away with stuff at the expense of the citizenry, but it will swing back eventually.

Social networking is the poster child for this, and because so much very private data is involved, the inevitable question is: should *any* single corporation be permitted to run it. If Google+ or MySpace or Friendster were the king, it's hard to imagine them acting any different. It's very hard to cry monopoly for an entirely voluntary system. I think Diaspora was on the right track, but it just can't quite seem to get off the ground.

[Greybeard perspective] This to me is a combination of younger people who had no clue how systems work (internet/logs/persistence of data) but are none the less online and a bit naive, older generations who have no understanding of the above, and Gen-X's who aren'tt technically inclined. In talking with friends in the IT field who fall within the ages of 35-45, most know how much information is stored out in the wild and have opted out of social networking. Furthermore they have taken measures to limit their exposure due knowledge of how this all works. If you openly, or even not so openly though lackadaisical habits, present personal information to the world, don't be surprised it's logged somewhere.

At an interview in San Francisco, Glancy gushed with praise for Schrems. "He is 10 times smarter than anybody that has done these kinds of practical projects," she told Ars. "He’s just very, very smart, in the cunning sense of smart. He also didn’t start asking questions until he knew he was right."

Hehe. Smart people start asking questions long before they know they are right... otherwise, what's the point?

On a serious note, very happy to see somebody sticking it to Facebook concerning privacy, especially somebody young. I was worried for a second that everybody my age didn't care about this stuff, but evidently, that isn't true.

Seriously, if you don't trust Facebook with your personal data, don't use them. There are other alternative social networking sites around, that is up to you to convince your friends or families to use them. Or just do it without, you are not missing much from Facebook.

I refused to give facebook my phone number or address. A 'friend' with a smartphone had my contact information in their phone. They loaded the facebook app, which took my information from their phone after I refused to give it to facebook and added it to my profile.

Facebook will not respect individual privacy decisions without legislation, audits and compliance penalties. Their corporate ethos is to take the data in a 'no means yes' style, then misdirect; stall; smoke screen; and deceive when confronted in a meaningful way.

Seriously, if you don't trust Facebook with your personal data, don't use them. There are other alternative social networking sites around, that is up to you to convince your friends or families to use them. Or just do it without, you are not missing much from Facebook.

Somehow I don't think that argument would stand up in court for Facebook.

... If you openly, or even not so openly though lackadaisical habits, present personal information to the world, don't be surprised it's logged somewhere.

Agreed. On the other hand, in a social-networking context, I don't think it's unreasonable to expect "deleted" to mean "deleted". The data might reasonably persist on redundant servers for some small-ish amount of time until the delete propagates out, and might reasonably remain on backup media until those backups fall off the rotation, but there should be a hard limit - if I deleted a post / comment / photo / etc more than (10? 30? 60?) days ago, by golly it should be GONE, permanently, period.

[Greybeard perspective] This to me is a combination of younger people who had no clue how systems work (internet/logs/persistence of data) but are none the less online and a bit naive, older generations who have no understanding of the above, and Gen-X's who aren'tt technically inclined. In talking with friends in the IT field who fall within the ages of 35-45, most know how much information is stored out in the wild and have opted out of social networking. Furthermore they have taken measures to limit their exposure due knowledge of how this all works. If you openly, or even not so openly though lackadaisical habits, present personal information to the world, don't be surprised it's logged somewhere.

I'm happy to say that I dropped Facebook for privacy reasons quite a bit before turning 35 out of a good understanding of how _their_ system works (or, in the case of privacy, doesn't work).

This would be a good time to repeat what I've said in other articles on social networking: you shouldn't be trusting your social networking to a mega-corporation. They simply won't respect your privacy. A distributed social network is a much better solution to this problem, and you can join one today.

I refused to give facebook my phone number or address. A 'friend' with a smartphone had my contact information in their phone. They loaded the facebook app, which took my information from their phone after I refused to give it to facebook and added it to my profile.

Just curious, and I'm not saying it ain't so... just asking the question... how do you know this is how FB got your information?

But I admire the guy's point that he wouldn't mind them storing the data if he knew exactly what they're gonna do with them. Facebook have proved several times that they treat data like a 5-year old treats his/her toys.

On a side note: "They noted that a formal appeal through Irish legal channels would require "financial support for the court costs." "

I once had a similar "run-around" with the Danish administration. Since I was active in the "no war against Iraq group", and war happened, we decided to shift our focus.

One of our members send a formal request to the Danish administration asking for all documentation pertaining Denmarks decision to go to war in Iraq. After a long while, he got an answer back "that the full documentation is no less than 5000 pages of size, and as per Danish law, he must pay for all photocopies beyond the number of 50 at the cost of 50 øre per page (around 10 cents).".

True, that's the law. If they looked the guy up, they'd probably know he was kinda a hippie type (he had been in Iraq as a bomb shield for instance), and probably assumed he didn't have any money or would just drop it.

Instead, I, again as a person, made the same request, noting that I wished to pay for all the copies. After a while, I got, I think, 250 or so pages, some with blackened out lines. They send it for free, though they could have charged me 15USD or so.

So, I ringed the department up, recording the conversation, and spoke with the civil servant handling the case. I asked here where the remainder of the documents were. She said "this is all the documents available that we can release, the remainder contains communication with foreign powers, which we can't release". So I told her that I was confused, as I had documentation in front of me saying that they to another person from our organisation had claimed a completely different number of pages (she until then did not know we were connected), and I assumed that either those documents existed, meaning that she was lying to me, or they didn't meaning they had lied to him.

Anyways, nothing came of it. But we put the recordings up on our webpage to humiliate the administration.

[Greybeard perspective] This to me is a combination of younger people who had no clue how systems work (internet/logs/persistence of data) but are none the less online and a bit naive, older generations who have no understanding of the above, and Gen-X's who aren'tt technically inclined. In talking with friends in the IT field who fall within the ages of 35-45, most know how much information is stored out in the wild and have opted out of social networking. Furthermore they have taken measures to limit their exposure due knowledge of how this all works. If you openly, or even not so openly though lackadaisical habits, present personal information to the world, don't be surprised it's logged somewhere.

While my beard is also gray, I think there is something to this observation about generational perspectives that hasn't been teased out nearly as well as I would have liked. For older people, tech is magic. For younger people, it's just the way things are. For those of us in the middle, it's something to consider. How did this transition happen so quickly that so few people are in the middle?

This doesnt mess with people? So let me see if I got this straight. Facebook has data on me. That they basically keep forever. Then some dude who lives and works in another country can come in and get that? Did I follow that right?

I'm not sure how I feel about the ongoing Facebook v Privacy issue. I personally don't do social networking (because most of the information dispersed is of such low quality and consequence) and so the issue is moot to me. There are most likely strong ramifications for targeted advertisement.

On the one hand, I see an implied acceptance of lack of privacy when engaging in social networking, as the point of its use is the dissemination of personal information.

On the other hand I can see the case of the users. Since ther was no explicit approval for use of personal information, the network should not be allowed to use that information except as approved by the user. Additionally, the user should be able to have their personal information deleted from the network to the extent permissible by law.

That does not mean that a company should not be able to gather information, but should be disallowed from the use of that information except as permitted by the owner of the identity that that information pertains to.

To be clear, I feel that personal information is the property of the person, and the collection of that data is a fair use of that data. Use of that data must explicitly be granted by the owner of that information, much like copyright.

... If you openly, or even not so openly though lackadaisical habits, present personal information to the world, don't be surprised it's logged somewhere.

Agreed. On the other hand, in a social-networking context, I don't think it's unreasonable to expect "deleted" to mean "deleted". The data might reasonably persist on redundant servers for some small-ish amount of time until the delete propagates out, and might reasonably remain on backup media until those backups fall off the rotation, but there should be a hard limit - if I deleted a post / comment / photo / etc more than (10? 30? 60?) days ago, by golly it should be GONE, permanently, period.

I wonder whether Facebook falls under the EUs data retention laws. If they are legally considered a "communications provider", they must by law retain data for no less than 6 months, and no more than 2 years.

I'd say, for the purpose of this law, they ought to count as one, and thus must have systems in place to retain data, but also to delete it of course.

Another good question might be, how much data do they have about me, a non-Facebook user? I have no agreement with FB, yet I don't doubt that my information is being harvested through all the people I know that do use FB. Do I have any right to that information as a non-customer?

Under European Union law, Facebook is required to comply with these requests within 40 days, since its global headquarters are in Ireland (largely for tax reasons). This means that all Facebook users outside the United States and Canada (which have their own, less-stringent privacy rules) are effectively governed by Irish and EU data protection authorities.

"I love social networking," he [Schrems] told me. "I’m just not sure that Facebook should be the one running it."

Perfectly stated.

There is an inevitable conflict of interest between the desire of a corporation to make more money, and the rest of society not to be abused by those corporations regarding breaking the law and so forth. The pendulum swings back and forth -- right now I'd argue that in the US it's a little heavy on corporations getting away with stuff at the expense of the citizenry, but it will swing back eventually.

Social networking is the poster child for this, and because so much very private data is involved, the inevitable question is: should *any* single corporation be permitted to run it. If Google+ or MySpace or Friendster were the king, it's hard to imagine them acting any different. It's very hard to cry monopoly for an entirely voluntary system. I think Diaspora was on the right track, but it just can't quite seem to get off the ground.

That's the wrong construct. First and foremost the conflict is between what people do and what they say'. They say they want privacy but then turn around and hand over personal information by the bucket-full. The wild popularity of Google, Facebook etc amounts to a pretty clear indication that privacy isn't people's foremost concern. Given that it's not clear that severe laws penalizing these services are in people's best interest. At the least new privacy laws shouldn't be added lightly.

Is it just me or does it seem that in Europe the law is only the law if they feel like enforcing it? Until then its hugs and kisses and probably payments under the table. If that doesn't work then they decide if they want to enforce the law. Weird.

I'm not making any judgement in regards to the merits of Europe vs USA. We are equally messed up albeit in completely different ways, i.e jackboots and political grandstanding.

Under European Union law, Facebook is required to comply with these requests within 40 days, since its global headquarters are in Ireland (largely for tax reasons). This means that all Facebook users outside the United States and Canada (which have their own, less-stringent privacy rules) are effectively governed by Irish and EU data protection authorities.

Under European Union law, Facebook is required to comply with these requests within 40 days, since its global headquarters are in Ireland (largely for tax reasons). This means that all Facebook users outside the United States and Canada (which have their own, less-stringent privacy rules) are effectively governed by Irish and EU data protection authorities.

I think far too many people are far too indiscriminate about what they do with their private information, and this coupled with the increasing demand by and increasing number of organizations for people's private information is extremely alarming.

I think it might be advisable to teach people to be suspicious and distrustful, unless proven otherwise, for any organization asking for any degree of private information or registration. We've been teaching our children not to talk to strangers for years, yet as adults, many of fail to practice the same refrain when "talking" with "strange" companies.

Here's a crazy idea: if you don't want companies to compile data about you, don't use their services. The sense of entitlement among young people has gotten out of hand. It is as if they view Facebook as a right. Beyond that, how stupid are these kids that they fail to understand that in order for social networking to, well, WORK, data has to be collected, shared, and preserved.

Old troll-man does not understand the issue here, but goes out of his way to denigrate the intelligence of others. Also probably thinks that "entitled" is some kind of insult. Conclusion: Old troll-man should go back to telling kids to get off his lawn.

... If you openly, or even not so openly though lackadaisical habits, present personal information to the world, don't be surprised it's logged somewhere.

Agreed. On the other hand, in a social-networking context, I don't think it's unreasonable to expect "deleted" to mean "deleted". The data might reasonably persist on redundant servers for some small-ish amount of time until the delete propagates out, and might reasonably remain on backup media until those backups fall off the rotation, but there should be a hard limit - if I deleted a post / comment / photo / etc more than (10? 30? 60?) days ago, by golly it should be GONE, permanently, period.

So much this. A lot of people here say that "well don't use facebook then" (but with more words), but this is more about how everything is done when you're there. Deleted should mean deleted, even internally. I realize this depends a lot on what it is, but it would be interesting to see details about it.

EDIT: But yes, people are not carefull enough about their privacy when it comes to the internet.

Is it just me or does it seem that in Europe the law is only the law if they feel like enforcing it? Until then its hugs and kisses and probably payments under the table. If that doesn't work then they decide if they want to enforce the law. Weird.

I'm not making any judgement in regards to the merits of Europe vs USA. We are equally messed up albeit in completely different ways, i.e jackboots and political grandstanding.

"In Europe"? I think you all ready lost the thread there if you don't understand that there's a huge difference in culture, history and laws between Russia, Germany, Ireland, Greece and Portugal.

As for your accusation of corruption, Ireland is ranked less corrupt than USA. Corruption probably occurs in Ireland, but I doubt it's systemic. And it certaintly doesn't happen the way you describe it.

Seriously, if you don't trust Facebook with your personal data, don't use them.

It is crucial to remember and acknowledge that even if you don't use Facebook they are still accumulating data about you. When a user lets Facebook see their address book you get added to Facebook's database. When lots of users do this then they can build up a network of friends with you in it.

Seriously, if you don't trust Facebook with your personal data, don't use them.

It is crucial to remember and acknowledge that even if you don't use Facebook they are still accumulating data about you. When a user lets Facebook see their address book you get added to Facebook's database. When lots of users do this then they can build up a network of friends with you in it.

I wouldn't be surprised if you were "tagged" internally via their facial recognition software with some unique identifier if you are accountless and appear in pictures.

From reading this article and the quotes, I'm not sure how the ODPC can claim they're doing their job properly. The law clearly states that *all data* must be handed over upon request. From what it sounds like, that's not what happened after the ODPC dealt with the complaint.

Instead, Facebook and the ODPC just tapped each other on the back.

Until *all data* is released, the law will not have been complied with, and the ODPC will not have done its job.

Seriously, if you don't trust Facebook with your personal data, don't use them.

I think the problem is more serious than that. My experience is that most US youngsters who use FB don't have a clue about the existence, nature and extent of US laws and regulations (or the lackings of thereof) regarding personal data protection by companies and 3rd parties, and their rights (or the lack thereof) regarding that information. And a lot of companies exploit this current status, and rightfully so, since they only do what law permits them to do. However, that does not mean that what they're doing is right, it just means the current situations is good as it is for a lot of involved and interested parties and related companies, good enough to not lobby for stricter regulation and more control for users. Well, services like FB - but others as well, all who base their business models on user data gathering, analysis, tracking and _selling_ - could not thrive as easily as they do if the situation was much different, so I don't have high hopes that this situation could change any time soon in the US.

I was a prolific Facebook user until about a year ago, then for various reason I simply lost interest in it. When the new timeline was released I went through and deleted swathes of irrelevant stuff. Finally a couple of months ago I deleted my account. I think it would be interesting to see how much was really deleted and what new info they have on me since I left.

For those who have not worked in Enterprise IT, one of the truly disturbing things about modern computing systems from a privacy perspective is the persistence of data.

As humans who typically make mistakes, the ability to "undo" has been built deeply into both applications and underlying systems in order to recover from that "oh shit!" moment when you accidentally deleted instead of saving the final draft of that critical executive presentation you just spent hours polishing.

Examples of protection mechanisms include "Trash/Recycling" in OS X/Windows, Undo buttons in almost every office application, ctrl-z, versioning in VMS, etc, while from an Enterprise IT perspective, this means backups, backups, backups...

In an application like Facebook, this sometimes means that the "delete" action is really translated to "hide" in code, making it easier to recover from user mistakes, as actual deletion from a database can cause problems with gaps in data, or requires complex, multi-table deletion procedures in order to prevent creation of orphan data in underlying tables.

What does all of the above mean to the end user? It means that it is VERY DIFFICULT to actually eradicate a specific piece of information from a large enterprise system. In a best case scenario, which assumes that the code allows actual hard deletion of data and related data across an entire system, the original "deleted' data will persist for months/years in backup tapes depending on business/government requirements for data retention.

This difference between "states" of the system could explain the differing amounts of data that Facebook presented to the EU petitioners in the article. My guess is that because he was first/loudest, Schrems got a huge dump of data because some engineer was told to grab everything manually by his User ID, possibly even from backups, while the engineering team developed the data download tool to automate the process for later requests. The data download tool likely only operates on production (active) data, as opposed to archive data (data warehouse, backups, etc.), hence the smaller set size.

In conclusion, as others have mentioned before, think twice before inputting personally identifying information (PII) into any large data system, as once established it will persist for months or years, even if deleted from even the most trustworthy system.

I think there is middle ground. People should be responsible and cautious with the information they share with any online social network. The option of not using the services at all for the sake of privacy is, in my opinion, extreme.

I understand that their are other ways to communicate with people besides social networks. However all those options requires using some companies service. Why should I be more trusting of Microsoft or Google with my mail ? Can I really trust Apple with my iMessages ? Is At&t doing something creepy/illegal regarding my sms or conversations?*** Do people really trust Comcast more than Facebook ? Yet I never heard anyone recommend not using Comcast for privacy concerns.

I don't think it is unreasonable to expect a social network to respect my personal data. If a bank messes up with my money, most people would hold the bank reliable. If a restaurant poisons its customers, most people would agree in suing that restaurant. However, it seems as if Google, Twitter of Facebook is caught fudging with my personal data, people want to blame me for using/trusting the service as trusting a corporation is something naive.

*** There is no doubt in my mind that carriers give up their customers info to law enforcement agencies without hesitation. This pure speculation but I bet most people who don't use Facebook, still has some type of cellular service with some carrier who are just as likely not to respect your personal information as Facebook is.